An Infosec Prediction: More Human-Based Attacks

As those performing attacks against corporate IT assets become more professional we’re going to start seeing more of the following types of attacks:

Bribery

Extortion

Blackmail

Think about who’s increasingly behind the information security attacks these days, and think of how they could more effectively attack an organization given large amounts of money and their willingness to engage in standard, physical crime.

The Problem

How hard is it to find out who works in IT in a large organization? How difficult would it be to make contact with someone who can disable or modify the anti-malware systems at one of these fortune 500 companies? And what would happen if someone with an Eastern European accent offered Bob, the mediocre (but dangerously knowledgeable) IT guy, the following sorts of propositions:

I’ll give you $50,000 cash to drop this piece of malware on your network. It’s undetectable by all of your malware detection and will remain so because this is the only place we’re going to use it. It will give us information we can use to silently extort your company’s C-level execs, and nobody will ever know how we got the information. They’re millionaires anyway. Think about it — all your debt instantly gone — plus a new home theater system that’ll be the envy of the neighborhood.

…and if/when Bob says no…

You’ll take the money and be happy or me and my meth-selling buddies will start getting real cozy with your wife, and we might accidentally burn down your house, too, or hurt your daughter. Don’t bother calling the police; we’re an international crime syndicate and that will just annoy us. Trust me, take the money and everything will go smooth. How about a new car?

Then there’s the blackmail angle if they’re willing to do some research and/or some setups. The point is that all they need is to get an internal employee to drop some of their highly specialized and virtually undetectable malware onto the internal LAN.

In short, the game is to overcome the internal employee’s fear of being caught using either fear or greed. And that’s precisely what this new type of traditional, organized criminal player is good at. They’re already into the classical elements, e.g. drugs, guns, violence and prostitution, so leveraging those resources to reap profits in the cyber world seems more inevitable than far-fetched.

This isn’t just movie plot stuff; there really are very organized criminal groups, with millions of dollars of backing, getting into the business of pulling the IT jewels out of top U.S. companies. And when they start figuring out that shmuck-boy the IT guy is the thing standing between them and a multi-billion dollar company’s most sensitive information — the games will begin. In fact, I’m willing to bet they’ve already started.

The Information Security Response

There are predictable ways that we in information security will react:

Increasing the types of background checks required to get into IT. Debts and overall life stability will be increasingly scrutinized, much in the same way it is for those with clearances in the intelligence community. In fact, clearances may become a new standard for certain IT shops.

Separation of duties, least privilege, and auditing will start to get taken far more seriously by everyone. Everyone from the companies themselves to the groups that are auditing them are going to be looking very hard at how to limit the damage individual employees are able to do if they were to go bad.

Additional outsourcing of sensitive roles due to the specialized requirements of IT in the future. If clearances are needed, as well as training in how to deal with these types of threats, that’s just going to be that much more reason for companies to outsource the whole operation to external experts.

Additional professionalization of IT due to the newer, more stringent requirements. More requirements for college and/or certification plus the initial and ongoing background checks will raise the bar for entry into the field. This will further exacerbate any existing IT labor issues and complicate the discussion of using foreign-born workers.